Merge pull request #48 from AikidoSec/remove-vulnerable-tmp-package

Remove @inquirer/prompts, update eslint.
2026-05-26 12:10:49 +00:00 · 2025-09-15 10:44:37 +02:00 · 2025-09-15 10:44:37 +02:00 · 9785f0e3d2
commit 9785f0e3d2
parent 5658eb04af f163101200
4 changed files with 145 additions and 1229 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -18,9 +18,9 @@
  "author": "Aikido Security",
  "license": "AGPL-3.0-or-later",
  "devDependencies": {
-    "@eslint/js": "^9.26.0",
-    "eslint": "^9.26.0",
-    "eslint-plugin-import": "^2.31.0",
+    "@eslint/js": "^9.35.0",
+    "eslint": "^9.35.0",
+    "eslint-plugin-import": "^2.32.0",
    "globals": "^16.1.0",
    "typescript-eslint": "^8.32.0"
  },
--- a/packages/safe-chain/package.json
+++ b/packages/safe-chain/package.json
@ -28,7 +28,6 @@
  "license": "AGPL-3.0-or-later",
  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
  "dependencies": {
-    "@inquirer/prompts": "^7.4.1",
    "abbrev": "^3.0.1",
    "chalk": "^5.4.1",
    "npm-registry-fetch": "^18.0.2",
--- a/packages/safe-chain/src/environment/userInteraction.js
+++ b/packages/safe-chain/src/environment/userInteraction.js
@ -1,6 +1,6 @@
 import chalk from "chalk";
 import ora from "ora";
-import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { createInterface } from "readline";
 import { isCi } from "./environment.js";

 function emptyLine() {
@ -61,12 +61,29 @@ function startProcess(message) {
 async function confirm(config) {
  if (isCi()) {
    return Promise.resolve(config.default);
-  } else {
-    return inquirerConfirm({
-      message: config.message,
-      default: config.default,
-    });
  }
+
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    const defaultText = config.default ? " (Y/n)" : " (y/N)";
+    rl.question(`${config.message}${defaultText} `, (answer) => {
+      rl.close();
+
+      const normalizedAnswer = answer.trim().toLowerCase();
+
+      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
+        resolve(true);
+      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
+        resolve(false);
+      } else {
+        resolve(config.default);
+      }
+    });
+  });
 }

 export const ui = {